tcpdump mailing list archives
Re: why it was not capturing exact bytes given in tcpdump -s
From: Guy Harris <guy () alum mit edu>
Date: Mon, 16 Jan 2006 11:14:17 -0800
On Jan 16, 2006, at 1:33 AM, Latha G wrote:
I had given "tcpdump -c 1 -s 40 > file", after that i checked the filesize using "ls -l file", what i got the file size is some 83 bytes.
There are several issues here. For one thing, as you didn't use the "-w" option: tcpdump -c 1 -s 40 -w filewhat tcpdump is writing to the file is *NOT* raw packet data, it's a printout of a dissection of the packet's data. There is *NO* guarantee that the number of characters of text that
tcpdump -c 1 -s 40 > filewill write to "file" has any connection to the size of the packet it captures.
And even if you use "-w", a libpcap-format file includes more than just the raw packet data; it includes a file header, 24 bytes long, giving information such as the type of link-layer header in the packets in the file (Ethernet, Token Ring, 802.11, FDDI, PPP, etc.), and it includes, for each packet, a per-packet header, 16 bytes long, giving the packet time stamp and length information for the packet.
Furthermore:
It was varying from time to timei executed the tcpdump, some times the file size is 232 bytes, anyway i amgetting the captured bytes to be other than the given snaplen bytes.The -s option is to capture snaplen bytes of data . Then why it was notcapturing exactly the bytes given?
...the "-s" option is *NOT* to capture exactly "snaplen" bytes of data. It's to save *no more than* "snaplen" bytes of data; it will not pad the packet to "snaplen" if it's shorter than "snaplen", it'll just cut the packet data short if it's *longer* than "snaplen".
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- why it was not capturing exact bytes given in tcpdump -s Latha G (Jan 16)
- Re: why it was not capturing exact bytes given in tcpdump -s Guy Harris (Jan 16)